On Jan 10, 2005, at 2:02 PM, Guy Harris wrote:

A more precise filter would fetch the IP total length, subtract the IP and TCP header lengths, and save only packets where the result is greater than zero; fetching those lengths would be done with the ip[offset:len] and tcp[offset:len] syntax, and doing the appropriate shifting and masking, as per the "expr relop expr" part of the section of the tcpdump manual page describing filter expressions. (Determining the expression to be used is left as an exercise to the reader.)

...or the reader can look at


although note that the IP and TCP header lengths are in units of 4-byte *words* while the IP packet length is in units of *bytes*, so you'd have to multiple the header lengths by 4 - and note also that the TCP header length is in the *upper* 4 bits of the byte:

        (ip[2:2] - (((ip[0] & 0x0f) << 2) + ((tcp[12] & 0xf0) >> 2))) > 0

might be the right answer - although, perhaps somewhat counterintuitively, "tcp[12]" doesn't check whether the protocol is TCP, so you really need

tcp and ((ip[2:2] - (((ip[0] & 0x0f) << 2) + ((tcp[12] & 0xf0) >> 2))) > 0)

(perhaps some parentheses are unnecessary; they cost nothing other than a few bytes/keystrokes in the filter).

Note also that this doesn't handle IPv6; that I will *still* leave as an exercise to the reader.

This is the WinPcap users list. It is archived at

To unsubscribe use mailto: [EMAIL PROTECTED]

Reply via email to